lytedev/nix
1
0
Fork 1
Code Issues Pull requests 1 Actions Packages Projects Releases Wiki Activity

WIP kanidm

Browse source
This commit is contained in:
Daniel Flanagan 2024-08-06 13:59:56 -05:00
parent e7b4d34399
commit 53f119285e
1 changed files with 19 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
nixos/beefcake.nix
View file

@ -1066,6 +1066,10 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
inherit user group; inherit user group;
mode = "0700"; mode = "0700";
}; };
"${storage}/certs".d = {
inherit user group;
mode = "0700";
};
}; };
users.groups = { users.groups = {
@ -1082,6 +1086,8 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# the kanidm module in nixpkgs was not working for me, so I rolled my own # the kanidm module in nixpkgs was not working for me, so I rolled my own
# loosely based off it # loosely based off it
systemd.services.kanidm = { systemd.services.kanidm = {
enable = true;
path = with pkgs; [openssl];
description = "kanidm identity management daemon"; description = "kanidm identity management daemon";
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
after = ["network.target"]; after = ["network.target"];
@ -1116,25 +1122,25 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"]; SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true; # PrivateDevices = true;
PrivateMounts = true; # PrivateMounts = true;
PrivateTmp = true; # PrivateTmp = true;
ProcSubset = "pid"; ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
ProtectHome = true; ProtectHome = true;
ProtectHostname = true; ProtectHostname = true;
BindReadOnlyPaths = [ # BindReadOnlyPaths = [
"${storage}/certs" # "${storage}/certs"
]; # ];
BindPaths = [ # BindPaths = [
"${storage}/data" # "${storage}/data"
# socket # # socket
"/run/${name}d:/run/${name}d" # "/run/${name}d:/run/${name}d"
# backups # # backups
serverSettings.online_backup.path # serverSettings.online_backup.path
]; # ];
}; };
}; };